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Abstract 



In this paper homomorphic cryptosystems are designed for the first time over 
any finite group. Applying Barrington's construction we produce for any boolean 
circuit of the logarithmic depth its encrypted simulation of a polynomial size over 
an appropriate finitely generated group. 



1 Homomorphic cryptography over groups 

1.1. Definitions and results. An important problem of modern cryptography con- 
cerns secret public-key computations in algebraic structures. There is a lot of public-key 
cryptosystems using groups (see e.g. [21 EI3 EH E21 EU EH1 EE1 EH 122] and also Subsec- 
tion ll.HJ) but only a few of them have a homomorphic property in the sense of the following 
definition (cf. [TT]). 



Definition 1.1 Let H be a finite nonidentity group, G a finitely generated group and 
f : G — > H an epimorphism. Suppose that R is a right transversal ofker(f) in G, A is 
a set and P : A — > G is a mapping such that im(P) = ker(/). A triple S = (A, P, R) is 
called a homomorphic cryptosystem over H with respect to f , if the following conditions 
are satisfied for a certain integer N > 1 (called the size of S): 
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(HI) the elements of the set A are represented by words in a certain alphabet; one can get 
randomly an element of A of size N within probabilistic time N°^\ 

(H2) the elements of the group G are represented by words in a certain alphabet; one 
can test the equality of elements in G and perform group operations in G (taking 
the inverse and computing the product) in time N ^, provided that the sizes of 
corresponding words are at most N, 

(H3) the set R, the group H and the bisection R — > H induced by f , are given by the 
list of elements, the multiplication table and the list of pairs (r,f(r)), respectively; 
\R\ = \H\ = 0(1), 

(H4) the mapping P is a trapdoor function (cf. [8]), i.e. given a word a £ A of the length 
\a\ an element P(a) can be computed within probabilistic time |a|° ( - 1 - ) ; whereas the 
problem INVERSE(P) is computationaly hard, while it can be solved by means of 
some additional secret information, 

where for any mapping P : A — ■> G we define INVERSE (P) to be the problem of testing 
whether given g £ G belongs to im(P) and yielding a random element a £ A such that 
P{a) = g whenever g £ im(P). 

Remark 1.2 Having random generating in the set A one can easily generate elements of 
the group G in a form P(a)r, a £ A, r £ R. 

In a homomorphic cryptosystem S the elements of H playing the role of the alphabet 
of plaintext messages are publically encrypted in a probabilistic manner by the elements 
of G playing the role of the alphabet of ciphertext messages, all the computations are 
performed in G and the result is decrypted to H. More precisely: 

Public Key: homomorphic cryptosystem S. 
Secret Key: INVERSE(P). 

Encryption: given a plaintext h £ H encrypt as follows: take r £ R such that f(r) = h 
(invoking (H3)) and a random element a £ A (using (HI); the ciphertext of h is the 
element P(a)r of G (computed by means of (H2) and (H4)). 

Decryption: given a cyphertext g £ G decrypt as follows: find the elements r £ R and 
a £ A such that gr^ 1 = P(a) (using (H4)); the plaintext of g is the element f(r) of H 
(computed by means of (H3)). 

The main result of the present paper consists in the construction of a homomorphic 
cryptosystem over arbitrary finite nonidentity group; the security of it is based on the 
difficulty of the following slight generalization of the factoring problem FACTOR(n, m): 
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given a positive integer n = pq with p and q being primes (of the same size), a number 
m > 2 of a constant size such that G„ )m /(Z*) m = Z+ where G n ,m = G Z* : J„(g) G 
{1, (— l) m ( mod2 )}} with J n being the Jacobi symbol, and a transversal of (Z*) m in Cr nim , 
find the numbers p, q. In addition, we assume that m\p — 1 and GCD(m,g — 1) = 
GCD(m,2). 

Theorem 1.3 Let H be a finite nonidentity group and N G N. Then one can design 
a homomorphic cryptosystem S(H,N) of the size O(N) over the group H; the problem 
INVERSE(P) where P is the trapdoor function, is probabilistic polynomial time equivalent 
to the problems FACTOR(n, m) for appropriate n = exp(0(iV)) and m running over the 
divisors of \H\. 

First this result is proved for a cyclic group H (see Section |2J), in this case the group G 
being a finite Abelian group. Then in Section El a homomorphic cryptosystem is yielded 
for an arbitrary H, in this case the group G being a free product of certain Abelian groups 
produced in Section|21 In SectionEJwe recall the result from PQ designing a polynomial size 
simulation of any boolean circuit B of the logarithmic depth over an arbitrary unsolvable 
group H (in particular, one can take H to be the symmetric group Sym(5)). Combining 
this result with Theorem 11.31 provides an encrypted simulation of B over the group G: the 
output of this simulation at a particular input is a certain element g G G, and thereby to 
know the output of B one has to be able to calculate f(g) G H, which is supposedly to be 
difficult due to Theorem 11.31 We mention that a different approach to encrypt boolean 
circuits was undertaken in [21]. 

1.2. Discussion on complexity and security. One can see that the encryption 
procedure can be performed by means of public keys efficiently However, the decryption 
procedure is a secret one in the following sense. To find the element r one has to solve 
in fact, the membership problem for the subgroup ker(/) of the group G. We assume 
that a solution for each instance g' G ker(/) of this problem must have a "proof", which 
is actually an element a G P^ 1 (g'). Thus, the secrecy of the system is based on the 
assumption that finding an element in the set P^ 1 {g') i.e. solving INVERSE(P) is an 
intractable computation problem. On the other hand, our ability to compute P" 1 enables 
us to efficiently implement the decryption algorithm. One can treat P as a proof system 
for membership to ker(/) in the sense of jH]. Moreover, in case when A is a certain group 
and P is a homomorphism we have the following exact sequence of group homomorphisms 

A^G^H^{1} (1) 

(recall that the exact sequence means that the image of each homomorphism in it coincides 
with the kernel of the next one). 

The usual way in the public-key cryptography of providing an evidence of the security 
of a cryptosystem is to fix a certain type of an attack (being an algorithm) of cryptosystems 
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and to prove that a cryptosystem is resistant with respect to this type of an attack. The 
resistancy means usually that breaking a cryptosystem with the help of the fixed type of 
an attack implies a certain statement commonly believed to be unplausible. The most 
frequently used in the cryptography such statement (which we involve as well) is the 
possibility to factorize an integer being a product of a pair of primes. Thus a type of 
an attack we fix is that to break a homomorphic cryptosystem means to be able to solve 
INVERSE(P) (in other words, reveal the trapdoor). 

Notice that in the present paper the group H is always rather small, while the group G 
could be infinite but being always finitely generated. However, the infinitness of G is not 
an obstacle for performing algorithms of encrypting and decrypting (using the trapdoor 
information) since G is a free product of groups of a number-theoretic nature like Z*; 
therefore one can easily verify the condition (H2) and on the other hand this allows one 
to provide evidence for the difficulty of a decryption. In this connection we mention a 
public-key cryptosystem from [6| in which / was the natural epimorphism from a free 
group G onto the group H (infinite, non-abelian in general) given by generators and 
relations. In this case for any element of H one can produce its preimages (encryptions) 
by inserting in a word (being already a produced preimage of /) from G any relation 
defining H . In other terms, decrypting of / reduces to the word problem in H. In our 
approach the word problem is solvable easily due to a special presentation of the group 
G (rather than given by generators and relations). 

1.3. Cryptosystems based on groups. To our best knowledge all known at present 
homomorphic cryptosystems are more or less modifications of the following one. Let n 
be the product of two distinct large primes of size of the order logn. Set G = {g G Z* : 
J n (g) = 1} and H = 7L\. Then given a non-square r G G the triple (A, P, R) where 

R={l,r}, A = Z* n , P(g):g^g 2 , 

is a homomorphic cryptosystem over H with respect to the natural epimorphism / : G — > 
H with ker(/) = {g 2 : g G Z*} (see [SJIE])- We call it the quadratic residue cryptosystem. 
It can be proved (see El) that in this case solving the problem INVERSE(P) is not 
easier than factoring n, whereas given a prime divisor of n this problem can be solved in 
probabilistic polynomial time in logn. 

It is an essential assumption (being a shortcoming) in the quadratic residue cryptosys- 
tem as well as other cryptosystems cited below that its security relies on a fixed a priori 
(proof system) P. Indeed, it is not excluded that an adversary could verify whether an 
element of G belongs to ker(/) avoiding making use of P, for example, in case of the 
quadratic residue cryptosystem that would mean verifying that g G G is a square without 
providing a square root of g. Although, there is a common conjecture that verifying for 
an element to be a square (as well as some power) is also difficult. 

Let us mention that a cryptosystem from ^1 over H = Z+ (for the same assumptions 
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on n as in the quadratic residue cryptosystem) with respect to the homomorphism / : 
G — > H where G = Z* 2 and ker(/) = {g n : g G G}, in which A = G and P : g t— > g n , is 
not homomorphic in the sense of Definition II . II because condition (H3) of it does not hold. 
(In particular, since \G\ < \H\ 2 , one can inverse P in a polynomial time in \H\.) By the 
same reason the cryptosystem from ^7j over H = Z+ with respect to the homomorphism 
f : G —> H where G = Z* 2g and ker(/) = {g pq : g G G} (here the integers p, q are distinct 
large primes of the same size) is also not homomorphic (besides, in this system only a 
part of the group H is encrypted). Some cryptosystems over certain dihedral groups were 
studied in More general, in ^T] homomorphic cryptosystems were designed over an 
arbitrary nonidentity solvable group. 

We note in addition that an alternative setting of a homomorphic (in fact, isomorphic) 
encryption E (and a decryption D = E^ 1 ) was proposed in |14j . Unlike Definition 11.11 
the encryption E : G — > G is executed in the same set G (being an elliptic curve over 
the ring Z n ) treated as the set of plaintext messages. If n is composite, then G is not a 
group while being endowed with a partially defined binary operation which converts G 
in a group when n is prime. The problem of decrypting this cryptosystem is close to the 
factoring of n. In this aspect ^3] is similar to the well-known RSA scheme (see e.g. jS]) 
if to interprete RSA as a homomorphism (in fact, isomorphism) E : Z* — > Z*, for which 
the security relies on the difficulty of finding the order of the group Z*. 

We complete the section by mentioning some cryptosystems using groups but not being 
homomorphic in the sense of Definition 11.11 The well-known example is a cryptosystem 
which relies on the Diflie-Hellman key agreement protocol (see e.g. [S]). It involves cyclic 
groups and relates to the discrete logarithm problem [T^]; the complexity of this sys- 
tem was studied in 0J. Some generalizations of this system to non-abelian groups (in 
particular, the matrix groups over some rings) were suggested in [THj where secrecy was 
based on an analog of the discrete logarithm problems in groups of inner automorphisms. 
Certain variations of the Diflie-Hellman systems over the braid groups were described 
in jT5|; here several trapdoor one-way functions connected with the conjugacy and the 
taking root problems in the braid groups were proposed. Finally it should be noted that 
a cryptosystem from jTH] is based on a monomorphism Z+ — > Z* by means of which x is 
encrypted by g x (mod n) where n, g constitute a public key; its decrypting relates to the 
discrete logarithm problem and is feasible in this situation due to a special choice of n 
and m (cf. also [2 ). 

2 Homomorphic cryptosystems over cyclic groups 

In this section we present an explicit homomorphic cryptosystem over a cyclic group of an 
order m > 1 whose decription is based on taking m-roots in the group Z* for a suitable 
n G N. It can be considered in a sense as a generalization of the quadratic residue 
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cryptosystem over ■ Throughout this section given neNwe denote by \n\ the size of 
the number n. 

Given a positive integer m > 1 denote by -D m the set of all pairs (p, g) where p and g 
are distinct odd primes such that 

p-l = 0(modm) and GCD(m, q - 1) = GCD(m, 2). (2) 

Let (p, g) G D m , n = pq and G„ jm be a group defined by 

G„, m = { ff G Z; : J n (g) G {1, (_l)-(-°d2) }} _ (3) 

Thus G ntm = Z* for an odd m and [Z* : G nim ] = 2 for an even m. In any case this 
group contains each element h = h p x h q such that (h p ) = Z* and (h q ) = Z* where 
hp and /i g are the p-component and the g-component of h with respect to the canonical 
decomposition Z* = Z* x Z*. From (J2J) it follows that m divides the order of any such 
element h and {1, h, ■ ■ ■ , /i m_1 } is a transversal of the group G™ m = {g m : g G G n ,m} m 
G n ^ m . This implies that G n ^ m /G™ rn = Z+ where the corresponding epimorphism is given 
by the mapping 

fn,m • G n m > ' * ^9 

with i g being the element of Z+ such that (7 G G™ m h l3 . From © it follows that ker(/ ni?n ) = 
G™ m = im(P njm ) where 

P -A ^ H n t-^ n m 

is a homomorphism from the group A n>m = Z* to the group G n ^ m . In particular, we have 
the exact sequence flTJ) with A = v4„ im , P = P n , m , f = f n , m , G = G n ^ m and H = Z+. 
Next, it is easily seen that any element of the set 

T^n,m = {R C G n>m : \f n ,m(R)\ = \R\ = m} 

is a right transversal of G™ m in G njJn . We notice that by the Dirichlet theorem on primes 
in arithmetic progressions (see e.g. j^j) the set D m is not empty. Moreover, by the same 
reason the set 

D N ,m = {n G N : n = pq, (p, g) G D m , |p| = |g| = N} 
is also nonempty for sufficiently large iV G N. 

Theorem 2.1 Lei H be a cyclic group of order m > 1. T/ien given IVeN andn G -D^m 
one can design a homomorphic cryptosystem S n (H,N) of the size O(N) over the group 
H ; the problem INVERSE(P) where P is the trapdoor function, is probabilistic polynomial 
time equivalent to the problem FACTOR(n,m). 
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Proof. First we desribe a probabilistic polynomial time algorithm which yields a certain 
n G Djv.m- The algorithm picks randomly integers p — 1 (modm) and q — — 1 (modm) 
from the interval [2^, 2 Ar+1 ] and tests primality of the picked numbers by means of e.g. [251 . 
According to [3] there is a constant c > such that for any b relatively prime with m there 
are at least c2 N /((p(m)N) primes of the form mx + b in the interval [2^, 2 7V+1 ]. Therefore, 
after O(N) attempts the algorithm would yield a pair (p,q) G D m with a probability 
greater than 2/3 (actually, one can replace 2/3 by an arbitrary constant less than 1). 
Thus given N E N one can design in probabilistic time TV * 1 ) a number n G -D^m, a 
random element R G 7£ nim (see e.g. [15]) and the triple 

S n (if,iV) = (A,P,R) (4) 

where A = A n , m and P = P„ im (below without loss of generality we assume that H = Z+ ) . 

We will show that for any n G D Nm and R G lZ n ,m the triple S n (H, N) is a homomor- 
phic cryptosystem of the size O(N) over the group H with respect to the epimorphism 
/ : G — > where / = / n>m and G = G n ,m- For this purpose we note that in this case 
there is the exact sequence (see above). Next, we will represent the elements of the set 
A and of the group G by integers modulo n, and those of the group H by integers modulo 
m. Then conditions (HI), (H2) and (H3) of Definition II .11 are trivially satisfied. Since the 
epimorphism P is obviously a polynomial time computable one, it suffices to verify con- 
dition (H4), i.e. that the problems INVERSE(P) and FACTOR(n, m) are probabilistic 
polynomial time equivalent. 

Suppose that we are given an algorithm solving the problem FACTOR(n, m). Then 
we can find the decomposition n = pq. Now using Rabin's probabilistic polynomial-time 
algorithm for finding roots of polynomials over finite prime fields (see [20]), we can solve 
the problem INVERSE (P) for an element g G G as follows: 

Step 1. Find the numbers g p G Z* and g q G Z* such that g = g p x g q , i.e. 
9 P = 9 (modp), g q = g (modg). 

Step 2. Apply Rabin's algorithm for the field of order p to the polynomial x m — g p 
and for the field of order q to the polynomial x m — g q . If at least one of this 
polynomials has no roots, then output "P -1 ^) = 0"; otherwise let h p and h q be 
corresponding roots. 

Step 3. Output l P-\g) ^ 0" and h = h p x h q . 

We observe that the set P~ 1 {g) is empty, i.e. the g is not an m-power in G, iff at least one 
of the elements g p and g q found at Step 1 is not an m-power in Z* and Z* respectively. 
This implies the correctness of the output at Step 2. On the other hand, if the procedure 
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terminates at Step 3, then h m = h™ x h™ = g p x g q = g, i.e. h G P 1 (g)- Thus the 
problem INVERSE(P) is reduced to the problem FACTOR(n, m) in probabilistic time 

Conversely, suppose that we are given an algorithm solving the problem INVERSE(P). 
Then the following procedure using well-known observations [8J enables us to find the 
decomposition n = pq. 

Step 1. Randomly choose g G Z*. Set T = {g}. 

Step 2. While |T| < 3 — (m (mod 2)), add to T a random m-root of the element 
g m yielded by the algorithm for the problem INVERSE(P). 

Step 3. Choose hi,h 2 G T such that q = GCD(/ii — h 2 ,n) ^ 1. Output q and 
p = n/q. 

To prove the correctness of the procedure we observe that there exists at least 2 (resp. 4) 
different m-roots of the element g m for odd m (resp. for even m) where g is the element 
chosen at Step 1. So the loop at Step 2 and hence the entire procedure terminates with a 
large probability after a polynomial number of iterations. Moreover, let T q = {h q : h G T} 
where h q is the g-component of h. Then from (J2J) it follows that \T q \ = 1 for odd m, and 
\T q \ < 2 for even m. Due to the construction of T at Step 2 this implies that there exist 
different elements hi, h 2 G T such that (hi) q = (h 2 ) q , and consequently 

hi = (hi) q = (h 2 ) q = h 2 (mod q). 

Since hi ^ h 2 (modn), we conclude that hi — h 2 is a multiple of q and output at Step 3 
is correct.! 

We complete the section by mentioning that the decryption algorithm of the homo- 
morphic cryptosystem S^^ n can be slightly modified to avoid applying Rabin's algorithm 
for finding roots of polynomials over finite fields. Indeed, it is easy to see that an ele- 
ment g = g p x g q of the group G belongs to the group G m iff g^ ^ = 1 (modp) and 
g(g !)/ m _ ^ ( m odg) where m! = GCD(m, q — 1). 

3 Homomorphic cryptosystems using free products 

Throughout the section we denote by Wx the set of all the words w in the alphabet X; 
the length of w is denoted by \w\. We use the notation G = (X; TZ) for a presentation of 
a group G by the set X of generators and the set TZ of relations. Sometimes we omit TZ 
to stress that the group G is generated by the set X. The unity of G is denoted by 1q 
and we set = G \ {!<?}■ Finally, given a positive integer n we set n = {1, . . . , n}. 
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3.1. Calculations in free products of groups. Let us remind the basic facts on 
free products of groups (see e.g. [T31 Ch. 4]). Let Gi, . . . , G n be finite groups, n > 1. 
Given a presentation Gi = (X^TZi), i G n, one can form a group G = (X; TZ) where 
X = U i£ nXi (the disjoint union) and 1Z = UienT^. It can be proved that this group does 
not depend on the choice of presentations of (Xf, IZi), i En. It is called the free product 
of the groups Gi and is denoted by G = Gi * ■ ■ ■ * G n ; one can see that it does not depend 
on the order of factors. Without loss of generality we assume below that Gi is a subgroup 
of G and Xi = G* for all i. In this case G C Wx and 1q equals the empty word of Wx- 
Moreover, it can be proved that 

G = {xi ■ ■ ■ Xk G Wx '■ Xj E Gi ] for j E k, and ij ^ ij + i for j G k — 1}. (5) 

Thus each element of G is a word of Wx in which no two adjacent letters belong to the 
same set among the sets X iy and any two such different words are different elements of G. 
To describe the multiplication in G let us first define recursively the mapping Wx — > G, 
w i— > w as follows 

— if w EG, 

[ . . . (x ■ y) . . ., if w — . . . xy . . . with x, y G X; L for some i En, 

where x ■ y is the product of x by y in the group G^. One can prove that the word w 
is uniquely determined by w and so the mapping is correctly defined. In particular, this 
implies that given i En we have 

where {ji, • • • , jfc'} = {j G A; : G Gj}. Now given g,h E G the product of <? by /i in G 
equals gr/i. 

Lemma 3.1 Lei G = G\ * ■ ■ • * G n , K = K\ * ■ ■ ■ * K n be groups and /j be an epimorphism 
from Gi onto Ki, i En. Then the mapping 

ip-.G^K, Xf-Xk \-> fnfa) • ■ ■ f ik (x k ) (8) 

where Xj E Gy, j E k, is an epimorphism. Moreover, ip\q. = f\ for all i En. 

Proof. Since K = (Y) where Y = {J^Kf , the surjectivity of the mapping ip follows 
from the surjectivity of the mappings fi, i En. Next, let y?o : Wx —> Wy be the mapping 
taking x\ ■ ■ - Xk to /^(a^i) • ■ ■ fi k (%k)- Then it is easy to see that <p(g) = ipo(g) for all g E G 
and <fo(ww') = <po(w)(po(w') for all w,w' E Wx- Since ww' = ww' for all w,w' E Wx, 
this implies that 

y(g)y(. h ) = <po(g) vo( h ) = <po(g)<po(h) = ya{gh) = ip(gh) 
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for all g, h G G. Thus the mapping ip is a homomorphism. Since obviously ip\c i = fi for 
all i En, we are clones 

Let if be a finite nonidentity group and K be the free product of cyclic groups gen- 
erated by all the nonidentity elements of if. Set 

ft« = {ftWfc' g : h,ti e H*, <i < m h , ti ■ ti = 1 H }, 

U (2) = {hh'h" G Wh# : h, h', h" G ff # , ti £ (h), h-ti -h" = 1 H } 

where ti^ is the word of length i > 1 with all letters being equal h, rrih is the order of 
h £ H and • denotes the multiplication in if. Then one can see that 

K = (H*;Tl {0) } (9) 

and there is the natural epimorphism ip' : K — > if' where if' = {H^;TZ^ U "RP^ U 
IZ^ 1 ). Since relations belonging to TZr\ i = 0, 1,2, are satisfied in if, we conclude that 
ker(ip')hi ^ ker(^')/i2 whenever hi and /12 are different elements of if (we identify Ik and 
1h)- On the other hand, it is easy to see that any right coset of K by ker (■?//) contains a 
word of length at most 1, i.e. an element of if. Thus K = U^ g ^ ker(ip')h, the mapping 

ip : K -> if, k\->h k (10) 

where ft^ is the uniquely detemined element of if for which G ker (■?/>') /i^, is an epimor- 
phism and ker(^>) = ker (■?//). 

3.2. Main construction of a homomorphic cryptosystem. Let if be a finite 
nonidentity group and N be a positive integer. We are going to describe a homomorphic 
cryptosystem S(H,N) of size 0(N) over the group if. Suppose first that if is a cyclic 
group of an order m > 1. Then we set S(H,N) = S n (H,N) where n G D^ )m (see 
Theorem 12. 1|) . If if is not a cyclic group, then S(H, N) is defined as follows. 

Let if* = {Tii, . . . , h n } where n is a positive integer (clearly, n > 3). Set D NH = 
U im DN,mi where m; is the order of the group Ki = (hi). Given i En choose G Dn^„ h 
and set Si = (Ai, Pi, Ri) to be the homomorphic cryptosystem S ni (Ki, N) with respect to 
the epimorphism /j : Gi — > Ki (see Theorem 12. 1|) . Without loss of generality we assume 
that Gi is a subgroup of the group Z* . Set 

G = G 1 *---*G n , / = V°¥>, (11) 

where the mappings <y? and ^ are defined by (JHJ) and (jlOj) respectively, with X = K\ * ■ ■ ■ * 
K n . From Lemma [3.11 and the definition of ip it follows that the mapping / : G — > if is 
an epimorphism from G onto ff . 
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To define a proof system for membership to ker(/) (see Subsection II .2|) we set 

X V , = XUA X = U iew G l \ker(/ i ), A = U ieK A i , (12) 

all the unions are assumed to be the disjoint ones. Denote by — > the transitive closure of 
the binary relation =>- on the set Wx v defined by 

v =>■ w iff w = x~ x xqvx, v,wEWx v (13) 

where x G X U {1^} and xq G Aq U {1a} with 1a being the empty word of Wx v - Thus 
v — ► w if there exist words u>i = i>, W2, ■ ■ ■ , Wi — w of such that u>j =>• for 
i G / - 1. We set 



A tp = {a G If^ : U v -> a}, P<p : A v -> G, ai • • • a fc h-> i^(ai) • • • P^a^) (14) 

where -P^lx = idx and P^a^ — Pi f° r all %. We observe that if v G ker(<£>) and v => w 
for some v,w & Wx v then obviously U G ker(</?) (see ()13j)). By induction on the size of a 
word this implies that P^A^) C ker(<£>). Next, set 

^ = {r G : /(r) = P^:A^^G,a^a (15) 

where i?^, = Li^Ri- It is easily seen that the restriction of ip to the set R 9 — G n W 7 ^/? 
induces a bijection from this set to the group i^. This shows that R v is a right transversal 
of ker(<£>) in G. Finally we define 

A = A v xA i> , P:A^G, (a,b) h-> P v {a)P^{b). (16) 

Let be a right transversal of ker(/) in G, for instance one can take R = {1g} U {r^} ie7 j 
where is the element of i?, such that i/>(r£) — hi, i E n. Set <S(if, AT) = (A, P, R). 

3.3. Proof of Theorem fPl 

First we observe that if if is a cyclic group, then the required statement follows from 
Theorem 12.11 Suppose from now on that the group H is not cyclic. Let us describe the 
presentations of the set A and the groups G and K. Given j 6 n the elements a G Ai 
and g E Gi being the elements of Z* will be represented by the "letters" ]a,i[ and [g,i] 
respectively. This completely defines the representations of the set A and the group G. 
We note that relying on (JT3J), ()14j) and (|15p one can randomly generate elements of A. 

The group G is represented by the subset (jSJ of the set Wjf. To multiply two elements 
g,h G G one has to find the word gh of Wx- It is easy to see that this can be done by 
means of the recursive procedure (JO} in time ((\g\ + \h\)N)°^ (here [x, i] ■ [y, i) = [xy, i] for 
all x, y G Z* where :n/ is the product modulo of the numbers x and y, and rij < exp ^) 
because rii G Djv,mJ- Since taking the inverse of g G G can be easily implemented in time 
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(|g|iV) 0(1 ), we will estimate further the running time of the algorithms via the number of 
performed group operations in G and via the sizes of the involved operands. 

Finally the group H as well as the groups Ki, i G n, are given by their multiplication 
tables, and the group K is given by the presentation (jUJ). Thus all the group operations 
in K can be performed in time polynomial in the lengths of the input words belonging 
to W H #. 

Now, we have the following sequence of the mappings: 

A v x Ga * ■ • ■ * G n K x * • • • * K n H. 

In the following two lemmas we study the homomorphisms tp and ip from the algorithmic 
point of view. 

Lemma 3.2 For the mapping P v defined in \1$ the following statements hold: 

(11) given a G A^ the element P ip (a) can be found in time la] ^, 

(12) im(P^) = ker(^), 

(13) given an oracle Qi for the problem INVERSE (Pj) for all i G n, the problem 
INVERSE (P^,) for g G G can be solved by means of at most \g\ 2 calls of oracles 
Qi, i G n, 

(14) for each i G n the problem INVERSE(Pj) is polynomial time reducible to the problem 
INVERSE(P^). 

Proof. Let us prove statement (il). Let a = ai ■ ■ ■ be an element of A 9 . To find P (/3 (a) 
according to (fLfj) we need to compute the words P ¥ ,(a J ), j G k, and then to compute the 
word w where w = P^(ai) ■ ■ ■ P^at). The first stage can be done in time | cz | G> ( 1 ) because 
each mapping Pj, i G n, is polynomial time computable due to Section |21 Since the size of 
w equals \a\, the element P v (a) can be found within the similar time bound (one should 
take into account that in the recursive procedure (jHJ) applied for computing w from w the 
length of a current word decreases at each step of the procedure). 

To prove statements (i2) and (i3) we note first that the inclusion im(P (/3 ) C ker(<^) 
was proved after the definition of A v and P v in f!14|) . The converse inclusion as well 
as statement (i3) will be proved by means of the following recursive procedure which 
for a given element g = x\ • • • Xk of G with Xj G GV for j £ k, produces a certain 
pair (a g ,t g ) G A^ x G. Below we show that this procedure actually solves the problem 
INVERSE^). 

Step 1. If g = 1 G , then output (1a v , If?)- 
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Step 2. If the set J = {j G k : Xj G ker(/j )} is empty, then output (l^ v ,g). 

Step 3. Set h = Xj+i ■ ■ ■ X]~x\ ■ ■ ■ xJZl where j is the smallest element of the set J. 

Step 4. Recursively find the pair (a^,^). If t h ^ 1 G , then output (a h ,t h ). 

Step 5. If i/, = lc, then output (a g , 1g) where a g = x\ • • ■ Xj_iajahX~\ ■ ■ -x^ 1 with 
dj being an arbitrary element of A ij such that P%AcLj) = Xj.m 

Since each recursive call at Step 4 is applied to the word h G G of size at most \g\ — 1, 
the number of recursive calls is at most \g\. So the total number of oracle Qi calls, i En, 
at Step 2 does not exceed \g\ 2 . Thus the running time of the algorithm is and 
statements (i2), (i3) are consequences of the following lemma. 

Lemma 3.3 g G ker(<^) iff t g = 1q- Moreover, if t g = 1q, then a g G A v and Pip(a g ) = g- 

Proof. We will prove the both statements by induction on k — \g\. If k = 0, then the 
procedure terminates at Step 1 and we are done. Suppose that k > 0. If the procedure 
terminates at Step 2, then t g ^ 1q. In this case we have \ip(g)\ — \g\ — k > 0, whence 
g G" ker (ip). Let the procedure terminate at Step 4 or at Step 5. Then \h\ < \g\ — 1 (see 
Step 3). So by the induction hypothesis we can assume that h G ker (ip) iff t h = 1 G . On 
the other hand, taking into account that xj G ker(/j.) (see the definition of j at Step 3) 
we get that h G ker(y?) iff uXjhu' 1 G ker(y?) where u = X\ . . . , Xj-\. Since 

uxjhw 1 = x\ ■ ■ ■ Xj-xXjhx~_ x ■ ■ ■ Xi 1 = x\ - • -Xk = g = g, (17) 

this means that g G ker ((p) iff h G ker(ip) iff th = la- This proves the first statement of 
the lemma because th = t g due to Steps 4 and 5. 

To prove the second statement, suppose that t g = 1q. Then the above argument shows 
that h G ker(<p>) and so ah G A v and P v (ah) = h by the induction hypothesis. This implies 
that 1a — » CLh- On the other hand, from the definition of a g at Step 5 it follows that 
a>h —> a g ( see f)13|l ). Thus — > a g , i-e. a g G (see ()14p). Besides, from the minimality 
of j it follows that Xi G X (see ()12))) and hence P^{xi) = X\ and P^xJ 1 ) = x~[ l for all 
I G j — 1 (see (HU)). Since P v (aj) = Xj and h = h = Xj + i ■ ■ ■ x^Xx ■ ■ ■ xJZ\ (see Step 3), we 
obtain by (fTTj) that 

P^piflg) = uXjP v (ah)u~ l = uxjhu~ l = g 
which completes the proof of the Lemma [3.31 b 

To prove statement (i4) let i G n and g G G{. Then since obviously g G ker(/j) 
iff g G ker(y?), one can test whether g G ker(/,) by means of an algorithm solving the 
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problem INVERSE(P (/J ). Moreover, if g G ker(/j), then this algorithm yields an element 
a G Atp such that P v {a) = g. Then assuming a = a\---a^ with aj G X^, the set 
J a = {j G k : =]a*,z[} can be found in time 0(|a|) (we recall that due to our 
presentation any element a 3 - is of the form either ]a*,ij[ or [a*,i,-] where ij G n and 
a* G 2^., and i-*^. (%) G ker(/ ij ) iff G A iff =]°}>*jD- Now ^ ne e l emen t 

a* Hll^^ 

obviously belongs to the set A± C A . On the other hand, since g G G iy we get by (0) that 

^ = P^(a 1 )---P^(a fc ) = n^K) ( 18 ) 

where J = {j G : P^aj) G Gj}. Taking into account that is an Abelian group and 
the mapping Pj : Aj — > Gi is a homomorphism, we have 

n = n p «(°i) n p ^)=^) n p >^- ( i9 ) 

jeJ j'eJa jeJ\Ja jeJ\J a 

Moreover, since 1a — > a, from ()13|) it follows that there exists involution j — > j' on the 
set J\J a such that aj = [a*, i] iff a,j> = [(a*) -1 , i] (we recall that a,j =}a*, i[ for j G J a and 
dj = [a*,i] for j G J\ J a ). This implies that n.jej\j P<p( a j) = Thus from (fT8j) and 
(Jinj) we conclude that: 

This shows that the element a* G with P v (a*) = g can be constructed from a in 
time 0(|a[). Using condition (HI) for the cryptosystem Si, one can efficiently trans- 
form the element a* to a random element a so that P^(a) = P </3 (a*) = g. Thus the 
problem INVERSE(Pj) is polynomial time reducible to the problem INVERSE(P ¥ ,). The 
Lemma fH.21 is proved.! 

Lemma 3.4 Let K be the group given by presentation (0|) and the epimorphism ip is 
defined by A10\) . Then given k G K one can find the element ip(k) in time (\k\ \H\)°^\ 

Proof. It is easy to see that the group K can be identified with the subset of the set W H # 
so that w G K iff the length of any subword of w of the form h - ■ ■ h (i.e. the repetition of 
a letter h) is at most rrih — 1. Having this in mind we claim that the following recursive 
procedure computes ip{k) for all k = x\ • • • Xt G K. 

Step 1. If t < 1, then output ip(k) = k. 
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Step 2. Choose he H such that x 1 x 2 h E TZ {1) U TZ {2) . 
Step 3. Output ijj(k) = ^(/i _1 x 3 ■ ■ ■ x t ). 

The correctness of the procedure follows from the definitions of sets T^ 1 ), TZ^ 2 \ and the 
fact that recursion at Step 3 is always applied to a word the length of which is smaller than 
the length of the current word. In fact, the above procedure produces the representation 
of k in the form k = w\ ■ ■ ■ Wt-i^jj(k) where Wj E TZP^ U TZ^ for all j E t—1 and 
ip(k) E H. Since obviously Wi ■ ■ -w t -i E ker(^), we conclude that ip(k) = h k (see (JTUJ) ) . 
To complete the proof it suffices to note that the running time of the above procedure is 

o(\k\(\nw\ + \n^\)).m 

Finally, let us complete the proof of Theorem 1 1.31 First, we observe that by Lemma I3~T1 
the mapping / : G — > H is a composition of two epimorphisms and so is an epimorphism 
too. Next, to prove that the mapping P : A — > ker(f) is a surjection, we recall that the 
set R v defined after (fT3j) is a right transversal of ker(<^) in G. So given g E ker(/) there 
exist uniquely determined elements g v E kei({p) and E such that g = g^r^. Since 

Itf = f(g) = 1>(<p(JWv)) = V#0v)) = /OvX 

we see that E fsee I15p. Besides, from statement (i2) of Lemma (3.21 it follows that 
there exists a E A^ for which P ¥ ,(a) = g v . Therefore, due to (fTBj) we have 

P(a, r v ) = P v (ja)P^,(r v ) = g^ = g. 

Thus the mapping P is a surjection. Since conditions (H1)-(H3) of the Definition 11.11 are 
satisfied (see the end of Subsection I3.2j) . it remains to verify the condition (H4), i. e. that 
P is a trapdoor function. 

First, we observe that by statement (il) of Lemma l3~2l and by Lemma EOl the mappings 
P^ and P^p are polynomial time computable, whence so does the mapping P. Next, 
given an element g E G there exists the uniquely determined element r E R such that 
f(g) = /(r) or, equivalently, f(gr~ l ) = 1 H . Since \R\ = 0(1), this implies that the 
problem of the computation of the epimorphism / is polynomial time equivalent to the 
problem of recognizing elements of ker(/) in G, i. e. in our setting to the problem 
INVERSE(P). Thus, we have to show that 

(a) the problem INVERSE(P) can be efficiently solved by means of using the trapdoor 
information for the homomorphic cryptosystems (Ri, A^ Pi), i En, i.e. the factoring 
of integers E D nim ., 

(b) for any i E n the problem INVERSE(Pj) (to which the factoring of integers rii is 
reduced) is polynomial time reducible to the problem INVERSE (P). 
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Suppose that for each i E n there is an oracle for the problem INVERSE(Pj). Then given 
gi E Gi one can find the element fi(gi) in time N ^. So given g E G the element k = <p(g) 
can be found in time (\g\N)°^ (see (jSJ)). Since f(g) = ip((p(g)) = ip(k) and \k\ < \g\, one 
can find ip{k) by Lemma f3 .41 and then to test whether g E ker(/) within the same time. 
Moreover, due to condition (H3) for cryptosystems <Sj, i En, one can efficiently find an 
element r belonging to the right transversal R v of ker(</?) in G such that <£>(r) = k and 
|r| < \k\. Now if g e ker(/) then if)(k) = 1h and so r e A^,. Furthermore, 

Vi.ar' 1 ) = (figjcpir" 1 ) = kk' 1 = 1 K . 

Finally, from statement (i3) of Lemma [3.21 it follows that one can find in time (IgliV) ^ 1 ) 
an element a E A v such that P v {a) = gr^ 1 . Thus we obtain 

P(a, r) = P^(a)P^(r) = gr~ l r = g = g, 

which proves claim (a). 

To prove claim (b) let g E G. If g (jL ker(/), then obviously g ^ ker(^). Let now 
g E ker(/) and (a, b) E A be such that P v (a)P^(b) = g. Since P^(b) belongs to the 
right transversal R v of ker((p) in G, it follows that g E ker(<£>) iff P^(b) = 1q- Moreover, 
if P$(b) = 1g, then obviously P<p(a) = g. Taking into account that the element P^(b) 
can be found in time |6| 0( - 1 - ) (see (|15jl ). we conclude that the problem INVERSE(P^) is 
polynomial time reducible to the problem INVERSE(P). Thus claim (b) follows from 
statement (i4) of Lemma 13.21 Theorem 11.31 is proved.B 

4 Encrypted simulating of boolean circuits 

Let B = B(X 1 , . . . , X n ) be a boolean circuit and H be a group. Following [T] we say that 
a word 

lh h h 1 ,...,h m eH, h,...,l m en, (20) 

is a simulation of size m of B in H if there exists a certain element h E H# such that the 
equality 

h x x h ■ ■ ■ h%» = /i B(xi '- ,Xn) 

holds for any boolean vector (xi, . . . ,x n ) E {0,1}". It is proved in P that given an 
arbitrary unsolvable group H and a boolean circuit B there exists a simulation of B in H, 
the size of this simulation is exponential in the depth of B ( in particular, when the depth 
of B is logarithmic O(logn), then the size of the simulation is n°^). 

We say that the circuit B is encrypted simulated over a homomorphic cryptosystem 
with respect to an epimorphism / : G — > H (we use the notations from Definition II .lj) if 
there exist gi, . . . , g m E G, and a certain element h E H# such that 

f{gl h ---9»^h B ^-^ (21) 
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for any boolean vector (x\, . . . ,x n ) G {0,1}™. Thus having a simulation (J2(Jj) of the 
circuit B in H one can produce an encrypted simulation of B by choosing randomly 
gi G G such that f(gi) = hi, i Em (in this case, equality (J2Tj) is obvious). Now combining 
Theorem 11.31 with the above mentioned result from pQ we get the following statement. 

Corollary 4.1 For an arbitrary finite unsolvable group H, a homomorphic crypto system 
S of a size N over H and any boolean circuit of the logarithmic depth O(logiV) one can 
design in time an encrypted simulation of this circuit over S. ■ 

The meaning of an encrypted simulation is that given (publically) the elements 
9i, ■■■,9m £ G and h G H # from (J2"T|) it should be supposedly difficult to evaluate 
B(xi, . . . ,x n ) since for this purpose one has to verify whether an element g^ 1 ■ ■ ■ gm m 
belongs to ker(/). On the other hand, the latter can be performed using the trapdoor 
information. In conclusion let us mention the following two known protocols of interaction 
(cf. e.g. I2H 122] ) based on encrypted simulations. 

The first protocol is called evaluating an encrypted circuit. Assume that Alice knows a 
trapdoor in a homomorphic cryptosystem over a group H with respect to an epimorphism 
/ : G —>■ H and possesses a boolean circuit B which she prefers to keep secret, and Bob 
wants to evaluate B{x) at an input x = (xi, . . . ,x n ) (without knowing B and without 
disclosing x). To accomplish this Alice transmits to Bob an encrypted simulation (|2T|) 
of B, then Bob calculates the element g = g 1 1 ■ ■ ■ gm m and sends it back to Alice, who 
computes and communicates the value f(g) to Bob. If the depth of the boolean circuit B 
is O(logiV) and the homomorphic cryptosystem is as in Subsection 13.21 then due to 
Corollary 14.11 the protocol can be realized in time (here we make use of that the 

size of a product of two elements in G does not exceed the sum of their sizes). 

In a different setting one could consider in a similar way evaluating an encrypted 
circuit Bh(vi, ■ ■ ■ , y n ) over a group H (rather than a boolean one), being a sequence of 
group operations in H with inputs yx, . . . ,y n G H. The second (dual) protocol is called 
evaluating at an encrypted input. Now Alice has an input y = (yi, . . . ,y n ) (desiring to 
conceal it) which she encrypts randomly by the tuple z = {z\, . . . ,z n ) belonging to G n 
such that f{zi) = yi, % G n, and transmits z to Bob. In his turn, Bob who knows a circuit 
B H (which he wants to keep secret) yields its "lifting" / _1 (_B^) to G by means of replacing 
every constant h G H occurring in B H by any g G G such that f(g) = h and replacing the 
group operations in H by the group operations in G, respectively. Then Bob evaluates 
the element (f~ l (BH))(z) G G and sends it back to Alice, finally Alice applies / and 
obtains /((/~ 1 (_B j h-))(2;)) = Bn{y) (even without revealing it to Bob). Again if the depth 
of the circuit Bh is O(logiV) and the homomorphic cryptosystem is as in Subsection 13.21 
then the protocol can be realized in time N°^\ 

It would be interesting to design homomorphic cryptosystems over rings rather than 
groups. 
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